WordPress powers a quarter of all websites worldwide and this is what makes it an irresistible target for hackers. According to Wordfence.com, around 35 million brute force attacks were blocked on WordPress daily in July 17. Not only this, the number is on an uptick. Needless to say, this necessitates that you take security measures for your WordPress website. However, as WordPress is an open source software, it has many protective plugins, functions, and techniques which can be used. Listed below are set of security measure for WordPress website which we deem to be the bare minimum.
1. Using Strong Usernames and Passwords:
The most overlooked, yet the most basic and important step in protecting your website is to change the default admin username. To do this, go to PHPMyAdmin database manager and enter “UPDATE wp_users SET user_login = ‘mynewuser’ WHERE user_login = ‘admin’;” SQL query and change the “mynewuser” to whatever name you wish to use.
One cannot stress the importance of strong passwords in protecting your website. We strongly recommend changing your password if it is not at least 10 characters long with numbers and letters, capitals and lowercase. To enhance your security, you could also enable two-factor authentication through the use of plugins such as iThemes security.
2. Securing the Login Screen
However, strong a username/password combination you have used, a dedicated hacker can get access to your website if he had enough time at his disposal. To avoid this, limit the number of login attempts – allowed from a single source in a specified time period – programs like Limit Login Attempts, help you do this. Make sure your login screen does not prompt users of potential errors that could be made. Adding Captchas is a valuable tool to secure login screens from bots. Additionally, you can also ensure that configuration notification is sent to you whenever there is a fishy login attempt. This can be achieved using plugins to overcome security challenges.
3. Restricting file and folder permissions
Understanding what access is to be given to which folder is critical for you to maintain the site’s security. 644 and 755 are two common file permission modes. Files categorized under 644 can be read and written to by their owner but only read by everyone else – the ideal setting for most files. The 755 mode allows all users to change the file. Additionally, you can also disallow file editing by including “define ( ‘DISALLOW_FILE_EDIT’, true);” in your wp-config.php file.
4. Keeping up with Upgrades
Primarily WordPress updates are released to plug security holes, in addition to fixing bugs and introducing new features. Make sure you update your WordPress version, theme and plugin to the latest version. WordPress security releases should be particularly paid attention to.
5. Malware Monitoring
We recommend having a system in place to monitor your site for malware. WordPress provides a free security plugin, Sucuri, which does this task for you. Once you have installed and activated the free plugin, generate a free API key. Following which, click on the Hardening tab from the menu. It is recommended that you go through every option and then click on the “Harden” button. Once the malware is scanned, Sucuri will help you clean it.
6. Hiding your WordPress version number
To avoid hackers from benefiting from information about bugs associated with your version number, it is recommended that you hide your WordPress version number. The following steps help you in doing the same:
- In an older theme, removing the line “php bloginfo( ‘version’);?>”/>” from the theme’s header.php file does the trick
- In a newer theme, adding “<?php remove action (‘wp head’ , ‘wp generator’) ;?>” in your theme’ function.php file does the trick
7. Disabling directory browsing
It is recommended that you disable directory browsing for your site. To do this upload a blank index.html or index.php file in each directory and subdirectory except the root.
8. Adding plugins to secure WordPress
There are a variety of plugins available which can help you secure your site. We list down 5 below which we consider to be the best:
Real-time blocking from malicious sources, login security, malware scans, a firewall and support for multi-site are among a host of features provided by this plugin. A variety of options allow you to scan traffic to your WordPress install in real time while categorizing errors into humans, bots, login attempts and “site not found”.
Featuring two-factor authentication with Google Authentication or Authy, it also provides malware scans, forced password expiration dates, file comparison, ability to temporarily grant admin privileges to other users and detailed logs of users’ actions.
With a friendly interface showing you a Security Strength Meter, a Security Points Breakdown and the status of critical features such as default usernames, login lockdowns, file permissions and a firewall, All In One feature are divided into basic, intermediate and advanced sections which include account and login security, registration security, database backup, file system protection, blacklisting, firewall functions and brute-force attack prevention.
This plugin includes .htaccess protection, login security protocols, automatic database backups, HTTP error logs, authentication cookies expiration along with a multitude of other features.
It offers overall security auditing, file modifications and permissions, malware scanning, blacklists, a firewall, and notifications. With notifications delivered via email, you can set a maximum per hour, define a threshold of failed logins from the same IP address before they’re considered malicious, and get alerted to both successful and failed logins and post changes.
9. Automatically logging out idle users\
To automatically log out idle users install and activate the Idle User Logout plugin. Once activated, visit Settings » Idle User Logout page to configure the plugin. One needs to simply set the time duration and uncheck the box next to “Disable in wp-admin” for enhanced security.
These are the nine bare minimum points you should adhere to while using WordPress. We strongly recommend that you use them as checklists to access the security of your site. It would be folly to take these tips lightly and then repent later. After all, we all know the adage “Prevention is better than cure”.
Brandon Graves is well known WordPress developer work with HireWPGeeks: Best company converts website to WordPress. He keeps writing on various WordPress issues such as Plugin development, error solution, security concern and website SEO. Follow him on Facebook to get more updates.